cyberattack

Auto Added by WPeMatico

Cyber risk startup Safe Security lands $33M from UK telco BT

Safe Security, a Silicon Valley cyber risk management startup, has secured a $33 million investment from U.K. telco BT. 

Founded in 2012, Safe Security — formerly known as Lucideus — helps organizations measure and mitigate enterprise-wide cyber risk using its security assessment framework for enterprises (SAFE) platform. The service, which is used by a number of companies, including Facebook, Softbank and Xiaomi, helps businesses understand their likelihood of suffering a major cyberattack, calculates a financial cost to customers’ risks and provides actionable insight on the steps that can be taken to address them.

This funding round saw participation from Safe Security’s existing investors, including former Cisco chairman and chief executive John Chambers, and brings the total amount raised by Safe Security to $49.2 million.

BT said the investment, which is its first major third-party investment in cybersecurity since 2006, reflected its plans to grow rapidly in the sector. Philip Jansen, BT CEO said: “Cybersecurity is now at the top of the agenda for businesses and governments, who need to be able to trust that they’re protected against increasing levels of attack. 

“Already one of the world’s leading providers in a highly fragmented security market, this investment is a clear sign of BT’s ambition to grow further.”

The startup’s co-founder and chief executive Saket Modi said he was “delighted” to be working with BT.

“By aligning BT’s global reach and capabilities with SAFE’s ability to provide real-time visibility on cyber risk posture, we are going to fundamentally change how security is measured and managed across the globe,” he said.

As part of the investment, which will see Safe Security double its engineering team by the end of the year, BT will combine the SAFE platform with its managed security services, and gain exclusive rights to use and sell SAFE to businesses and public sector bodies in the U.K. BT will also work collaboratively with Safe Security to develop future products, according to an announcement from the company.

Safe Security’s competitors include UpGuard, Exabeam and VisibleRisk.

Powered by WPeMatico

GasBuddy tops the App Store for the first time due to Colonial Pipeline attack

The GasBuddy mobile app, which typically helps consumers find the cheapest gas nearby, has now become the No. 1 app on the U.S. App Store for the first time ever, due to the fuel shortages in the U.S. that followed the cyberattack on the Colonial Pipeline. Americans, fearful that gas would become unavailable, began panic-buying in ways that haven’t been seen since the great toilet paper outage of 2020. As a result, thousands of gas stations ran out of fuel entirely. This dramatic situation has greatly benefitted the GasBuddy app, which includes a crowdsourced feature that helps users locate which local stations still have gas for sale.

As of Wednesday afternoon, GasBuddy says the effects of the Colonial Pipeline shutdown are being felt across 11 U.S. states, largely in the Southeast and Washington, D.C. North Carolina had the highest number of gas stations with fuel outages, with 65% of stations reportedly out of gas as of 2:48 p.m. ET on Wednesday. Kentucky has the lowest at only 2%. Because this data is self-reported by GasBuddy users, it may not represent the most current information, we should note.

Image Credits: GasBuddy app screenshot

During the week, consumers have been turning to GasBuddy to help them find where they can fill up. Yesterday, the app hit No. 1 in the “Travel” category on the App Store, while it steadily climbed its way up the App Store’s Top Overall charts.

This afternoon, GasBuddy became both the No.1 app in the non-games category as well as the highest-ranked app Overall across the U.S. App Store.

According to data from app store intelligence firm Apptopia, GasBuddy yesterday saw 15,203 new downloads — a 59% increase from its average daily downloads, which were 9,560 for the past 30 days. However, third-party data isn’t always accurate for sudden shots in rank — it catches up a few days after the fact.

Image Credits: Apptopia

Reached for comment, GasBuddy says its downloads were actually far higher than the third-party estimates. Across all platforms, including both iOS and Google Play, it saw 20x more downloads yesterday compared with an average day in 2021. The company told TechCrunch it counted 313,001 total downloads yesterday, compared with average daily downloads for the previous 30 days of 15,339.

Broken down by platform, GasBuddy says it saw 104,735 downloads on Android and 208,266 downloads on iOS on Tuesday, May 11, 2021.

Apptopia also noted that GasBuddy hadn’t been the No. 1 app on the App Store in all the time it’s been recording app store rankings, which goes back to January 1, 2015. However, it noted the app itself launched back in 2010, making it possible (though not likely) that the app had reached No. 1 at some point.

GasBuddy confirmed that’s not the case. Today is the first time it has ever topped the App Store, though it got close once before when it reached No. 2 behind a walkie-talkie app during Hurricane Irma in September 2017.

Image Credits: App Store screenshot on Wed., May 12, 2021

Consumers can continue to track statewide fuel outages here on GasBuddy’s website as well as where highest prices are being found. In the app, they can report whether gas stations have gas or diesel, as well as current prices.

The Colonial Pipeline, which runs 5,500 miles from the Gulf to the Northeast, shut down on Friday due to a ransomware attack from a criminal hacking network known as DarkSide, which is suspected to be based in Russia or Eastern Europe. The pipeline delivers about 45% of fuel used by the Eastern Seaboard. Reports of the shutdown sent Americans to stock up on gas, worsening the situation further. The U.S. Energy Secretary Jennifer Granholm said the Colonial Pipeline intends to restore operations by the end of the week.

Powered by WPeMatico

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

The current risks aren’t just technology problems; they’re also problems of people and processes.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Powered by WPeMatico

Dragos raises $110M Series C as demand to secure industrial systems soars

Cybersecurity firm Dragos has raised $110 million in its Series C, almost triple the amount that it raised two years ago in its last round.

Dragos was founded in 2016 to detect and respond to threats facing industrial control systems (ICS), the devices critical to the continued operations of power plants, water and energy supplies, and other critical infrastructure. The company’s threat detection platform — its moneymaker — helps companies with industrial control systems defend against hackers trying to get into important operational systems. Its platform kicks out hackers that could shut down manufacturing lines or control energy supply systems, while its research arm keeps tabs on the hackers that can break into these highly complex and segmented industrial networks in the first place.

The startup’s latest round was led by National Grid Partners and Koch Disruptive Technologies, with both firms adding a member each to Dragos’ board. The round also saw participation from Saudi Aramco Energy Ventures and Hewlett Packard Enterprise, as well as return investors Allegis Cyber, Canaan Partners, DataTribe, Energy Impact Partners and Schweitzer Engineering Labs.

This latest round of funding will help the company with its go-to-market efforts, as well as growing its customer support team with 30 staff and building up its sales and marketing team. Lee said the company’s priority had been to work on its threat platform, and less selling it.

About one-third of the company’s employees work in software engineering to build its threat platform.

Dragos founder and chief executive Robert Lee said the pandemic, which forced vast swathes of the world to work remotely from home under lockdown restrictions, served as a wake-up call for companies with critical infrastructure.

“When you’re talking about critical infrastructure sites and people’s utilities, you need to put your best foot forward on the tech first,” he said.

Many companies were already trying to adapt with the digital age, but Lee said many companies realized they had underinvested in ICS security.

Dragos team picture

A team photo of Dragos employees. Image Credits: Dragos

Based just outside Washington D.C., Dragos now has over 220 employees and will be adding more, close to doubling its headcount since last year, and adding new offices in Melbourne, Dubai and in the United Kingdom.

Lee said the U.K.’s transition out of the European Union would all but ensure that the new U.K. office could not serve as an EU hub for the company, but that it was necessary to “to go where the problems are.”

Another one of those places is Saudi Arabia, one of the world’s largest oil and gas producers, where Dragos has an office and now draws an investment. Saudi oil and gas manufacturing plants have been the target of several cyberattacks, including the Trisis malware in 2017 that shut down one of the kingdom’s biggest petrochemical plants. But the country has faced extensive criticism for its human rights record by international rights groups. Lee said the company works to protect infrastructure that serves civilians and has actively rejected military contracts that would fall afoul of those values. “I don’t want to put asterisks on that mission,” he said.

Lee told TechCrunch that the company has grown at a rapid pace since it was founded four years ago.

“Our goal was never to get acquired,” he said. Echoing remarks he made last year, Lee said that the company’s plan was to continue growing and investing in the problems that Dragos sees — with an eventual goal to take the company public. “But we’re not rushed,” he said.

“The hallmark of Dragos being successful won’t be a successful IPO,” said Lee. “The hallmark will be having validated and built the market large enough that there can be other companies that come behind us serving the other more niche aspects of the ICS market and building out the community, and making sure our infrastructure is safer.”

Powered by WPeMatico

Decrypted: Apple and Facebook’s privacy feud, Twitter hires Mudge, mysterious zero-days

Trump’s election denialism saw him retaliate in a way that isn’t just putting the remainder of his presidency in jeopardy, it’s already putting the next administration in harm’s way.

In a stunning display of retaliation, Trump fired CISA director Chris Krebs last week after declaring that there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised,” a direct contradiction to the conspiracy-fueled fever dreams of the president who repeatedly claimed, without evidence, that the election had been hijacked by the Democrats. CISA is left distracted by disarray, with multiple senior leaders leaving their posts — some walked, some were pushed — only for the next likely chief to stumble before he even starts because of concerns with his security clearance.

Until yesterday, Biden’s presidential transition team was stuck in cybersecurity purgatory because the incumbent administration refused to trigger the law that grants the incoming team access to government resources, including cybersecurity protections. That’s left the incoming president exposed to ongoing cyber threats, all while being shut out from classified briefings that describe those threats in detail.

As Biden builds his team, Silicon Valley is also gearing up for a change in government — and temperament. But don’t expect too much of the backlash to change. Much of the antitrust allegations, privacy violations and net neutrality remain hot button issues, and the tech titans resorting to cheap “charm offenses” are likely to face the music under the Biden administration — whether they like it or not.

Here’s more from the week.


THE BIG PICTURE

Apple and Facebook spar over privacy — again

Apple and Facebook are back in the ring, fighting over which company is a bigger existential threat to privacy. In a letter to a privacy rights group, Apple said its new anti-tracking feature will launch next year, which will give users the choice of blocking in-app tracking, a move that’s largely expected to cause havoc to the online advertising industry and data brokers.

Given an explicit option between being tracked and not, as the feature will do, most are expected to decline.

Apple’s letter specifically called out Facebook for showing a “disregard for user privacy.” Facebook, which made more than 98% of its global revenue last year from advertising, took its own potshot back at Apple, claiming the iPhone maker was “using their dominant market position to self-preference their own data collection, while making it nearly impossible for their competitors to use the same data.”

Powered by WPeMatico

Here’s what’s happening at Disrupt 2020 today

Rise, shine and build your business startup fans. It’s day four of Disrupt 2020, and this is your daily snapshot of just some of the heavy-hitters, events, breakout sessions and all-around opportunity that’s yours for the taking.

Looking for the complete lineup? You’ll find it in the Disrupt agenda. Note: unless otherwise stated, all times are PST. Kicking yourself for not jumping on the opportunity bandwagon? Simply buy a Disrupt pass here, and kick your regrets to the curb.

Buckle up, folks — you’re in for a great day.

Athleisure wear is one of the hottest trends in retail, and it’s certainly a popular work-at-home wardrobe during a pandemic. Head to the Disrupt Stage and join comedian/tech investor Kevin Hart and Fabletics’ Adam Goldenberg for Retail is in the Details. They’ll talk about the company’s future and the type of tech Hart may invest in next (9:05 a.m. – 9:30 a.m.).

Everybody loves robots, but not many people know more about them than Boston Dynamics’ Robert Playter. You’ll find him on the Disrupt Stage talking about the company’s transition from robotics research to commercial production. Don’t miss Putting Robots to Work (10:00 a.m. – 10:20 a.m.)

We trust you haven’t missed a minute of the always-thrilling Startup Battlefield pitch competition. Still, a reminder never hurts. Session four takes place on the Disrupt Stage. Don’t miss watching today’s cohort lay it all on the line for a shot at $100,000 (10:40 a.m. – 11:45 a.m.).

Okay folks this session, Under the Radar, is a big, big deal. Legendary VC and Silicon Valley force of nature, Benchmark’s Peter Fenton joins us on the Disrupt Stage for a rare interview. Topic? The future of startups and venture capital (11:45 a.m. – 12:05 p.m.).

Head to the Extra Crunch Stage for product development tips from current and former product heads at places like Facebook, Zoom, Slack, Hulu and Oculus. Zoom’s Oded Gal, Advisor’s Eugene Wei, Slack’s Tamar Yehoshua and Inspirit’s Julie Zhuo will discuss How to Iterate Your Product (11:50 a.m. – 12:45 p.m.).

Data security is everyone’s concern — from budding startup founders all the way up to the NSA. Don’t miss Spycraft and Cybersecurity and the opportunity to hear Anne Neuberger, head of the NSA’s new Cybersecurity Directorate. She’ll take to the Disrupt Stage and discuss cyber threats, disrupting foreign adversaries and helping you improve your own cybersecurity (1:00 p.m. – 1:20 p.m.).

Whew, that rundown should whet your appetite for the day ahead. Connect, inspire, collaborate and take advantage of all the tips, advice, tools and opportunity Disrupt 2020 offers.

Still standing on the sidelines? You have two full days left to Disrupt and reject regret. Buy a Disrupt pass right now.

Powered by WPeMatico

A SonicWall cloud bug exposed corporate networks to hackers

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.

Powered by WPeMatico

UK report blasts Huawei for network security incompetence

The latest report by a UK oversight body set up to evaluation Chinese networking giant Huawei’s approach to security has dialled up pressure on the company, giving a damning assessment of what it describes as “serious and systematic defects” in its software engineering and cyber security competence.

Although the report falls short of calling for an outright ban on Huawei equipment in domestic networks — an option U.S. president Trump continues dangling across the pond.

The report, prepared for the National Security Advisor of the UK by the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, also identifies new “significant technical issues” which it says lead to new risks for UK telecommunications networks using Huawei kit.

The HCSEC was set up by Huawei in 2010, under what the oversight board couches as “a set of arrangements with the UK government”, to provide information to state agencies on its products and strategies in order that security risks could be evaluated.

And last year, under pressure from UK security agencies concerned about technical deficiencies in its products, Huawei pledged to spend $2BN to try to address long-running concerns about its products in the country.

But the report throws doubt on its ability to address UK concerns — with the board writing that it has “not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects”.

So it sounds like $2BN isn’t going to be nearly enough to fix Huawei’s security problem in just one European country.

The board also writes that it will require “sustained evidence” of better software engineering and cyber security “quality”, verified by HCSEC and the UK’s National Cyber Security Centre (NCSC), if there’s to be any possibility of it reaching a different assessment of the company’s ability to reboot its security credentials.

While another damning assessment contained in the report is that Huawei has made “no material progress” on issues raised by last year’s report.

All the issues identified by the security evaluation process relate to “basic engineering competence and cyber security hygiene”, which the board notes gives rise to vulnerabilities capable of being exploited by “a range of actors”.

It adds that the NCSC does not believe the defects found are a result of Chinese state interference.

This year’s report is the fifth the oversight board has produced since it was established in 2014, and it comes at a time of acute scrutiny for Huawei, as 5G network rollouts are ramping up globally — pushing governments to address head on suspicions attached to the Chinese giant and consider whether to trust it with critical next-gen infrastructure.

“The Oversight Board advises that it will be difficult to appropriately risk-manage future products in the context of UK deployments, until the underlying defects in Huawei’s software engineering and cyber security processes are remediated,” the report warns in one of several key conclusions that make very uncomfortable reading for Huawei.

“Overall, the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term,” it adds in summary.

Reached for its response to the report, a Huawei UK spokesperson sent us a statement in which it describes the $2BN earmarked for security improvements related to UK products as an “initial budget”.

It writes:

The 2019 OB [oversight board] report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2BN.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Seeking to find something positive to salvage from the report’s savaging, Huawei suggests it demonstrates the continued effectiveness of the HCSEC as a structure to evaluate and mitigate security risk — flagging a description where the board writes that it’s “arguably the toughest and most rigorous in the world”, and which Huawei claims shows at least there hasn’t been any increase in vulnerability of UK networks since the last report.

Though the report does identify new issues that open up fresh problems — albeit the underlying issues were presumably there last year too, just laying undiscovered.

The board’s withering assessment certainly amps up the pressure on Huawei which has been aggressively battling U.S.-led suspicion of its kit — claiming in a telecoms conference speech last month that “the U.S. security accusation of our 5G has no evidence”, for instance.

At the same time it has been appealing for the industry to work together to come up with collective processes for evaluating the security and trustworthiness of network kit.

And earlier this month it opened another cyber security transparency center — this time at the heart of Europe in Brussels, where the company has been lobbying policymakers to help establish security standards to foster collective trust. Though there’s little doubt that’s a long game.

Meanwhile, critics of Huawei can now point to impatience rising in the U.K., despite comments by the head of the NCSC, Ciaran Martin, last month — who said then that security agencies believe the risk of using Huawei kit can be managed, suggesting the government won’t push for an outright ban.

The report does not literally overturn that view but it does blast out a very loud and alarming warning about the difficulty for UK operators to “appropriately” risk-manage what’s branded defective and vulnerable Huawei kit. Including flagging the risk of future products — which the board suggests will be increasingly complex to manage. All of which could well just push operators to seek alternatives.

On the mitigation front, the board writes that — “in extremis” — the NCSC could order Huawei to carry out specific fixes for equipment currently installed in the UK. Though it also warns that such a step would be difficult, and could for example require hardware replacement which may not mesh with operators “natural” asset management and upgrades cycles, emphasizing it does not offer a sustainable solution to the underlying technical issues.

“Given both the shortfalls in good software engineering and cyber security practice and the currently unknown trajectory of Huawei’s R&D processes through their announced transformation plan, it is highly likely that security risk management of products that are new to the UK or new major releases of software for products currently in the UK will be more difficult,” the board writes in a concluding section discussing the UK national security risk.

“On the basis of the work already carried out by HCSEC, the NCSC considers it highly likely that there would be new software engineering and cyber security issues in products HCSEC has not yet examined.”

It also describes the number and severity of vulnerabilities plus architectural and build issues discovered by a relatively small team in the HCSEC as “a particular concern”.

“If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly,” it warns. “Other impacts could include being able to access user traffic or reconfiguration of the network elements.”

In another section on mitigating risks of using Huawei kit, the board notes that “architectural controls” in place in most UK operators can limit the ability of attackers to exploit any vulnerable network elements not explicitly exposed to the public Internet — adding that such controls, combined with good opsec generally, will “remain critically important in the coming years to manage the residual risks caused by the engineering defects identified”.

In other highlights from the report the board does have some positive things to say, writing that an NCSC technical review of its capabilities showed improvements in 2018, while another independent audit of HCSEC’s ability to operate independently of Huawei HQ once again found “no high or medium priority findings”.

“The audit report identified one low-rated finding, relating to delivery of information and equipment within agreed Service Level Agreements. Ernst & Young concluded that there were no major concerns and the Oversight Board is satisfied that HCSEC is operating in line with the 2010 arrangements between HMG and the company,” it further notes.

Last month the European Commissioner said it was preparing to step in to ensure a “common approach” across the European Union where 5G network security is concerned — warning of the risk of fragmentation across the single market. Though it has so far steered clear of any bans.

Earlier this week it issued a set of recommendations for Member States, combining legislative and policy measures to assess 5G network security risks and help strengthen preventive measures.

Among the operational measures it suggests Member States take is to complete a national risk assessment of 5G network infrastructures by the end of June 2019, and follow that by updating existing security requirements for network providers — including conditions for ensuring the security of public networks.

“These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks,” it recommends. “The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.”  

At an EU level the Commission said Member States should share information on network security, saying this “coordinated work should support Member States’ actions at national level and provide guidance to the Commission for possible further steps at EU level” — leaving the door open for further action.

While the EU’s executive body has not pushed for a pan-EU ban on any 5G vendors it did restate Member States’ right to exclude companies from their markets for national security reasons if they fail to comply with their own standards and legal framework.

Powered by WPeMatico